Firewall - Traffic Blocked for Some Services

P

piotrzu

New Member
Feb 29, 2024
17
2
3
Hello,

A few days ago, I enabled the Proxmox firewall. First, I set it to ALLOW all traffic in all directions at the Datacenter level:

1748505377955.png

then I configured the rules on each node. I wanted to allow access to port 8006 from one specific subnet and block all other traffic from that subnet. Everything else should work as if there were no firewall:
1748506173998.png
after that, I enabled the firewall at the Node level, and then at the Datacenter level.
Everything worked fine. I could log in using the Web GUI, access SSH, and all services were working properly.

But my friend told me he had a problem with some services not working properly. They failed after I enabled the firewall, even though they were not from the subnet I had blocked.

Can you explain what might have caused the problem?


This is output of iptables -L

Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-INPUT  all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
PVEFW-FORWARD  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-OUTPUT  all  --  anywhere             anywhere           

Chain PVEFW-Drop (0 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       udp  --  anywhere             anywhere             multiport dports 135,445
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8 */

Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
DROP       all  --  anywhere             base-address.mcast.net/4
           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */

Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination         
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
           all  --  anywhere             anywhere             /* PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0 */

Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere             /* PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */

Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
RETURN     igmp --  anywhere             anywhere           
RETURN     tcp  --  x.y.0.0/24         proxmox-1.lab  tcp dpt:8006
DROP       all  --  x.y.0.0/24         proxmox-1.lab
RETURN     all  --  anywhere             anywhere           
RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:60000:60050
RETURN     udp  --  x.z.0.66           proxmox-1.lab  udp dpts:5404:5405
RETURN     all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:LDyt1nr06dLvhrlWxgENwZUvx9Q */

Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     igmp --  anywhere             anywhere           
RETURN     all  --  anywhere             anywhere           
RETURN     tcp  --  anywhere             x.z.0.0/24         tcp dpt:8006
RETURN     tcp  --  anywhere             x.z.0.0/24         tcp dpt:ssh
RETURN     tcp  --  anywhere             x.z.0.0/24         tcp dpts:5900:5999
RETURN     tcp  --  anywhere             x.z.0.0/24         tcp dpt:3128
RETURN     udp  --  proxmox-1.lab  x.z.0.66           udp dpts:5404:5405
RETURN     all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:yjSBUL15/+dUiSzuk1gIrR+QEFY */

Chain PVEFW-INPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-IN  all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-OUT  all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (0 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
PVEFW-reject  udp  --  anywhere             anywhere             multiport dports 135,445
PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:h3DyALVslgH5hutETfixGP08w7c */

Chain PVEFW-SET-ACCEPT-MARK (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x80000000
           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */

Chain PVEFW-reject (4 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere           
DROP       icmp --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */

Chain PVEFW-smurflog (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */

Chain PVEFW-smurfs (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0              anywhere           
PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST
PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto]
           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */

Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination         
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */

Could it be that the default Proxmox rules blocked that traffic?

Also, where are they defined? Is it possible to disable them and use only the rules defined by the administrator?


Thank you for your help.
Best regards
 
piotrzu said:
Could it be that the default Proxmox rules blocked that traffic?
Click to expand...
What kind of traffic gets blocked / is not working properly? With that I mean source / destination IP, Ports + protocol. Are those connections to a VM or to the Host itself?

Could you post the output of iptables-save -c? That one's easier to parse imo. if those are RFC 1918 addresses then there's not really a point in censoring and seeing the full configuration would help in debugging.


piotrzu said:
Also, where are they defined? Is it possible to disable them and use only the rules defined by the administrator?
Click to expand...

You can check the default rules generated in our documentation [1]. There's not really a way to override them.


[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_default_rules
 
Hello,

Thank you for your response.
I know that the issue was related to Ceph - specifically, the connection between the Ceph interface and a few VMs. All other services are working properly.


Here are the output from iptables -L :
Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-INPUT  all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
PVEFW-FORWARD  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-OUTPUT  all  --  anywhere             anywhere           

Chain PVEFW-Drop (0 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       udp  --  anywhere             anywhere             multiport dports 135,445
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8 */

Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
DROP       all  --  anywhere             base-address.mcast.net/4
           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */

Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination         
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
           all  --  anywhere             anywhere             /* PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0 */

Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere             /* PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */

Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
RETURN     igmp --  anywhere             anywhere           
RETURN     tcp  --  10.105.0.0/24        10.105.0.101         tcp dpt:8006
DROP       all  --  10.105.0.0/24        10.105.0.101       
RETURN     all  --  anywhere             anywhere           
RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:60000:60050
RETURN     udp  --  10.50.0.1           proxmox01.lab  udp dpts:5404:5405
RETURN     all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:n9fUiOboYDFmJ0QVYH2YVbfjoSs */

Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     igmp --  anywhere             anywhere           
RETURN     all  --  anywhere             anywhere           
RETURN     tcp  --  anywhere             10.50.0.0/24         tcp dpt:8006
RETURN     tcp  --  anywhere             10.50.0.0/24         tcp dpt:ssh
RETURN     tcp  --  anywhere             10.50.0.0/24         tcp dpts:5900:5999
RETURN     tcp  --  anywhere             10.50.0.0/24         tcp dpt:3128
RETURN     udp  --  proxmox01.lab  10.50.0.1           udp dpts:5404:5405
RETURN     all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:yjSBUL15/+dUiSzuk1gIrR+QEFY */

Chain PVEFW-INPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-IN  all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-OUT  all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (0 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
PVEFW-reject  udp  --  anywhere             anywhere             multiport dports 135,445
PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:h3DyALVslgH5hutETfixGP08w7c */

Chain PVEFW-SET-ACCEPT-MARK (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x80000000
           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */

Chain PVEFW-reject (4 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere           
DROP       icmp --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */

Chain PVEFW-smurflog (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */

Chain PVEFW-smurfs (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0              anywhere           
PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST
PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto]
           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */

Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination         
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */

After disabling the firewall at the datacenter level, all Ceph mounts started successfully. They are mounted on the VMs.

Thank you for your help.
Best regards,
Peter.
 
and here are the output from iptables-save -c :
Code: 
# Generated by iptables-save v1.8.9 on Mon Jun  2 14:33:57 2025
*raw
:PREROUTING ACCEPT [507572:90233793]
:OUTPUT ACCEPT [525378:95363238]
COMMIT
# Completed on Mon Jun  2 14:33:57 2025
# Generated by iptables-save v1.8.9 on Mon Jun  2 14:33:57 2025
*filter
:INPUT ACCEPT [28:1680]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34:2384]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
[507553:90231287] -A INPUT -j PVEFW-INPUT
[0:0] -A FORWARD -j PVEFW-FORWARD
[525380:95363606] -A OUTPUT -j PVEFW-OUTPUT
[0:0] -A PVEFW-Drop -j PVEFW-DropBroadcast
[0:0] -A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
[0:0] -A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
[0:0] -A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
[0:0] -A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
[0:0] -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
[0:0] -A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
[0:0] -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
[0:0] -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
[0:0] -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
[0:0] -A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
[0:0] -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
[0:0] -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
[0:0] -A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
[0:0] -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
[0:0] -A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0"
[0:0] -A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
[11:3064] -A PVEFW-HOST-IN -i lo -j ACCEPT
[0:0] -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
[33326:6113680] -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[28:1680] -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
[0:0] -A PVEFW-HOST-IN -p igmp -j RETURN
[0:0] -A PVEFW-HOST-IN -s 10.105.0.0/24 -d 10.105.0.101/32 -p tcp -m tcp --dport 8006 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 10.105.0.0/24 -d 10.105.0.101/32 -j DROP
[28:1680] -A PVEFW-HOST-IN -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 10.50.0.2/32 -d 10.50.0.1/32 -p udp -m udp --dport 5404:5405 -j RETURN
[0:0] -A PVEFW-HOST-IN -j RETURN
[0:0] -A PVEFW-HOST-IN -m comment --comment "PVESIG:n9fUiOboYDFmJ0QVYH2YVbfjoSs"
[157:33078] -A PVEFW-HOST-OUT -o lo -j ACCEPT
[0:0] -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
[524967:95311418] -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A PVEFW-HOST-OUT -p igmp -j RETURN
[256:19110] -A PVEFW-HOST-OUT -j RETURN
[0:0] -A PVEFW-HOST-OUT -d 10.50.0.0/24 -p tcp -m tcp --dport 8006 -j RETURN
[0:0] -A PVEFW-HOST-OUT -d 10.50.0.0/24 -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A PVEFW-HOST-OUT -d 10.50.0.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
[0:0] -A PVEFW-HOST-OUT -d 10.50.0.0/24 -p tcp -m tcp --dport 3128 -j RETURN
[0:0] -A PVEFW-HOST-OUT -s 10.50.0.1/32 -d 10.50.0.2/32 -p udp -m udp --dport 5404:5405 -j RETURN
[0:0] -A PVEFW-HOST-OUT -j RETURN
[0:0] -A PVEFW-HOST-OUT -m comment --comment "PVESIG:yjSBUL15/+dUiSzuk1gIrR+QEFY"
[507553:90231287] -A PVEFW-INPUT -j PVEFW-HOST-IN
[116:6856] -A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
[525380:95363606] -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
[256:19110] -A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
[0:0] -A PVEFW-Reject -j PVEFW-DropBroadcast
[0:0] -A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
[0:0] -A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
[0:0] -A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
[0:0] -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
[0:0] -A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
[0:0] -A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
[0:0] -A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
[0:0] -A PVEFW-logflags -j DROP
[0:0] -A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
[0:0] -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A PVEFW-reject -s 224.0.0.0/4 -j DROP
[0:0] -A PVEFW-reject -p icmp -j DROP
[0:0] -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
[0:0] -A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
[0:0] -A PVEFW-smurflog -j DROP
[0:0] -A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
[0:0] -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
[0:0] -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
[0:0] -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
[116:6856] -A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Mon Jun  2 14:33:57 2025



Thank you for your help.
Best regards,
Peter.
 
piotrzu said:
I know that the issue was related to Ceph - specifically, the connection between the Ceph interface and a few VMs. All other services are working properly.
Click to expand...
If you have Ceph running and enable the firewall, then you need to explicitly allow Ceph traffic from/to your nodes. We already have a pre-defined Macro 'Ceph' that can be used for this. Otherwise the Ceph cluster won't work.

Also a small improvement: if you already have a default policy applied on the Datacenter level then you don't need the last 3 ACCEPT rules in your firewall ruleset, as that's already covered by the default policy.
 
Thank you for reply.
If you have Ceph running and enable the firewall, then you need to explicitly allow Ceph traffic from/to your nodes. We already have a pre-defined Macro 'Ceph' that can be used for this. Otherwise the Ceph cluster won't work.
Click to expand...
Should I still do that even if I allowed all traffic types in the rules?
Could the blocked traffic be caused by default rules? If so, which default rule might be responsible?


Also a small improvement: if you already have a default policy applied on the Datacenter level then you don't need the last 3 ACCEPT rules in your firewall ruleset, as that's already covered by the default policy.
Click to expand...
Thanks, okay, I understand.
What happens if I create a new rule at the node level?

Will the rules defined at the datacenter level still apply after that, or will they be overridden?
In other words, if I define a rule at the node level, are the datacenter-level rules still included (after that rule), or does the node-level rule take precedence and block the rest of the traffic?

I really appreciate your help,
Peter
 
piotrzu said:
Should I still do that even if I allowed all traffic types in the rules?
Could the blocked traffic be caused by default rules? If so, which default rule might be responsible?
Click to expand...
Are the Ceph monitors listening on the subnet from the firewall rule? You had a DROP rule for one subnet, so that one seems like the suspicious one. Since enabling the firewall also enables conntrack, it is possible that existing connections drop even though they would be valid, since there is no conntrack entry for them. Re-establishing them once should make them work fine though.

piotrzu said:
Will the rules defined at the datacenter level still apply after that, or will they be overridden?
In other words, if I define a rule at the node level, are the datacenter-level rules still included (after that rule), or does the node-level rule take precedence and block the rest of the traffic?
Click to expand...
The node-level rules come first, so if a node-level rule matches then it will be applied. Otherwise the firewall will try the datacenter-level rules and look for a match there.
 
Are the Ceph monitors listening on the subnet from the firewall rule? You had a DROP rule for one subnet, so that one seems like the suspicious one. Since enabling the firewall also enables conntrack, it is possible that existing connections drop even though they would be valid, since there is no conntrack entry for them. Re-establishing them once should make them work fine though.
Click to expand...
The traffic came from another subnet, not the one I dropped. The Ceph subnet was not related to the block. Should work fine.

Also, I found out that the traffic came from the bare-metal servers that form the Ceph cluster. There were no VMs in the Proxmox cluster related to the Ceph cluster.

The problem was with the Cinder mount - the VM running on Proxmox which couldn't mount the filesystem. After the firewall was disabled, the connection started working properly immediately.


The node-level rules come first, so if a node-level rule matches then it will be applied. Otherwise the firewall will try the datacenter-level rules and look for a match there.
Click to expand...
So first, the Node-level rules are checked, and if none of them match, the rules from the Datacenter level are applied?

Best regards,
Peter
 
Hello,

I should also mention that the InfiniBand Subnet Manager is running on one of the Proxmox nodes in the cluster.
That part of Ceph relies on the InfiniBand network. If I'm not mistaken, the InfiniBand Subnet Manager uses multicast packets.

Maybe that's the reason why it stopped working?
Is it possible to disable the rule that blocks multicast traffic in the automatically created Proxmox rules for test?

Regards,
Peter
 
You must log in or register to reply here.
Top Bottom